Home Explore Help
Register Sign In
OWEALs
/
uci
mirror of https://git.openwrt.org/project/uci.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

uci: fix use-after-free uci_add_list

When uci_add_list is called with ptr->o set and ptr->option = NULL,
then in uci_expand_ptr ptr->option is set to ptr->o->e.name.
If ptr->o->type is UCI_TYPE_STRING then prev is set to ptr->o.
This will result in use-after-free because ptr->option is used in
the call to uci_add_delta in uci_add_element_list after
uci_free_option(prev).

Signed-off-by: Jan Venekamp <jan@venekamp.net>
Jan Venekamp 1 year ago
parent
7e01d66d7b
commit
47697e6579
1 changed files with 2 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      list.c

+ 2 - 0
list.c
View File 

@@ -652,6 +652,8 @@ int uci_add_list(struct uci_context *ctx, struct uci_ptr *ptr)
 
 	ptr->o = uci_alloc_list(ptr->s, ptr->option);
 
 	if (prev) {
 
 		uci_add_element_list(ctx, ptr, true);
 
+		if (ptr->option == prev->e.name)
 
+			ptr->option = ptr->o->e.name;
 
 		uci_free_option(prev);
 
 		ptr->value = value2;
 
 	}